Wednesday, February 19, 2014

Considering how useful smartphones are, there’s still plenty of untapped potential. Locket has already gone some way to earn smartphone owners cash by turning their lock screens into ad space, and now a new app called Power Sleep harnesses the computational power of the devices to crunch data at a time when they’re otherwise not in use.

Cancer researchers at the University of Vienna find themselves with masses of protein data that they can’t sift through themselves — instead, they rely on computers to process it over long periods of time. To get the job done more quickly, the Power Sleep app developed by Samsung Austria is hoping to crowdsource computing power from the processors inside people’s smartphones. Many already use alarm clock apps that require their phones are kept running throughout the night and Power Sleep doubles as a replacement for those apps. Users simply set the alarm and the phone then begins to collect packets of data containing protein sequences from the university, compares them, and sends the results back to the lab. Currently available only for Android, the app is free to download from Google Play.

Power Sleep is similar to existing projects such as Stanford’s Folding@home and UC Berkley’s BOINC, whose technology the app is actually based upon. Are there other projects that could utilize the combined power of otherwise idle smartphone networks?

Thursday, January 2, 2014

Snapchat, which was thought to be a private messaging app for the iPhone, exposed some 4.6 million users after hackers released a database with apparent Snapchat usernames and partial phone numbers.

The exploit that enabled the usernames and phone numbers to be released was reportedly brought to the Snapchat company months ago to no avail.

On Christmas Day, ZDNet reported that Gibson Security, the group of hackers that discovered the exploit, notified Snapchat of the problem in August.

Gibson Security published a security advisory the same month after Snapchat did not respond or take action.

The exploit could have been fixed by “ten lines of code” and would have never appeared “if they followed best practices and focused on security (which they should be, considering the use cases of the app),” Gibson Security said.

In its Christmas release, Gibson Security also alleged that Snapchat’s statements to investors and the press are entirely false.

Two days after the Gibson Security release, the company downplayed the hack and said they “recently added additional counter-measures and continue to make improvements to combat spam and abuse.”

Yet the database, known as SnapchatDB, was still published publicly (though the site was quickly suspended).

The hackers said they made the data available “in an effort to convince the messaging app to beef up its security,” according to Tech Crunch.

“It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal,” SnapchatDB said in a statement. “Security matters as much as user experience does.”

Even after the hackers found the exploit and notified Snapchat, the company only put minor hurdles in place.

“Even long after that disclosure, Snapchat was reluctant to taking the necessary steps to secure user data,” the SnapchatDB release said. “Once we started scraping on a large scale, they decided to implement very minor obstacles, which were still far from enough. Even now the exploit persists.”

The problem apparently remains unaddressed by the company and leaves millions of users exposed.

“It is still possible to scrape this data on a large scale. Their latest changes are still not too hard to circumvent,” the hackers said.

One reader told Tech Crunch that he was able to find “his own number, that of several friends and Snapchat founder Evan Spiegel in the list.”

The SnapchatDB hackers told The Verge that they used a modified version of the exploit published by Gibson Security. Clearly, Snapchat didn’t actually patching the problem.

“Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t,” the hackers said.

The SnapchatDB website has been taken down, but it is “not due to legal action,” according to the hackers.

The uncensored database is being offered by the hackers to some who ask, according to The Verge.

Concerned users can use a website by developer Robbie Trencheny to see if their username is included among the 4.6 million.

As of Wednesday morning, Snapchat had not replied to a request for comment from The Washington Post.

As Tech Crunch rightly notes, users should avoid being lulled into a false sense of security about the privacy of their information stored with Snapchat.

Tuesday, December 31, 2013

Through a secret program code-named DROPOUTJEEP, the National Security Agency (NSA) has nearly total access to the Apple iPhone, according to documents from security research Jacob Appelbaum and Der Spiegel.

A leaked NSA document, posted by tech news site The Daily Dot describes a “software implant for the Apple iPhone” that can be used to gather information from the phone: It can turn on the microphone and camera, intercept text messages, creep through a contact list and more.

“Either [the NSA] have a huge collection of exploits that work against Apple products, meaning they are hoarding information about critical systems that American companies produce, and sabotaging them, or Apple sabotaged it themselves,” Appelbaum said at the Chaos Communication Conference in Hamburg, Germany on Monday, Dec. 30.

The software reportedly has a 100-percent success rate against iPhones, the Daily Dot reported. The document says the spyware must be installed “via close access methods,” but states that remote installation of the software will be pursued for a future release.

The document is dated Jan. 8, 2010, and is set to be declassified in 2032.

Saturday, December 28, 2013

The new site KnowMyApp.org reveals how much cellular data is used by such popular apps as Facebook, Twitter, YouTube, and Netflix.

(Credit: Screenshot by Lance Whitney/CNET)

You can now find out how much data is used by certain mobile apps before you download them.

Served up by CTIA - The Wireless Association, a Web site dubbed KnowMyApp.org tells you how many megabytes -- or gigabytes, even -- are chewed up by key mobile apps during a typical month of use. The site calculates its figures by measuring someone using the app three times a day under certain scenarios.

For example, a person using Facebook would post five comments, like five posts, view one embedded video, view three embedded photos, scroll through the Timeline, check-in once, and upload one photo. A person using Netflix would search for TV shows, watch a TV show for nine minutes, add a TV show to the favorites list, pause a video, turn on captions, rotate the device, adjust the volume, rewind and fast forward, and finally view a specific category.

The site focuses specifically on iOS and Android apps and shows how much data each one carves out of a typical 2GB data plan per month. Only a smart portion of all the apps on the market are covered, but you will find details on some of the most popular ones.

Facebook consumed an average of 433MB per month, Twitter ate up just 67MB, and YouTube snagged 1,294MB, or around 1.2 GB of data. But Netflix maxed out on a typical 2GB data plan with a whopping 4,227 MB, or more than 4GB.

The site is a handy guide for anyone who likes to use mobile apps on the go but doesn't want to trip past their monthly data allowance.

Sunday, December 15, 2013

Francisco Seco/AP - In this October 2013 file photo, a man looks at his cellphone as he walks on the street in downtown Madrid. The NSA’s ability to crack cellphone encryption used by the majority of cellphones in the world offers it wide-ranging powers to listen in on private conversations.
By Craig Timberg and Ashkan Soltani, Published: December 13, 2013 washingtonpost.com

The cellphone encryption technology used most widely across the world can be easily defeated by the National Security Agency, an internal document shows, giving the agency the means todecode most of the billions of calls and texts that travel over public airwaves every day.

While the military and law enforcement agencies long have been able to hack into individual cellphones, the NSA’s capability appears to be far more sweeping because of the agency’s global signals collection operation. The agency’s ability to crack encryption used by the majority of cellphones in the world offers it wide-ranging powers to listen in on private conversations.U.S. law prohibits the NSA from collecting the content of conversations between Americans without a court order. But experts say that if the NSA has developed the capacity to easily decode encrypted cellphone conversations, then other nations likely can do the same through their own intelligence services, potentially to Americans’ calls, as well.Encryption experts have complained for years that the most commonly used technology, known as A5/1, is vulnerable and have urged providers to upgrade to newer systems that are much harder to crack. Most companies worldwide have not done so, even as controversy has intensified in recent months over NSA collection of cellphone traffic, including of such world leaders as German Chancellor Angela Merkel.The extent of the NSA’s collection of cellphone signals and its use of tools to decode encryption are not clear from a top-secret document provided by former contractor Edward Snowden. But it states that the agency “can process encrypted A5/1” even when the agency has not acquired an encryption key, which unscrambles communications so that they are readable.Experts say the agency may also be able to decode newer forms of encryption, but only with a much heavier investment in time and computing power, making mass surveillance of cellphone conversations less practical.“At that point, you can still listen to any [individual person’s] phone call, but not everybody’s,” said Karsten Nohl, chief scientist at Security Research Labs in Berlin.The vulnerability outlined in the NSA document concerns encryption developed in the 1980s but still used widely by cellphones that rely on technology called second-generation (2G) GSM. It is dominant in most of the world but less so in the wealthiest nations, including the United States, where newer networks such as 3G and 4G increasingly provide faster speeds and better encryption, industry officials say.But even where such updated networks are available, they are not always used, because many phones often still rely on 2G networks to make or receive calls. More than 80 percent of cellphones worldwide use weak or no encryption for at least some of their calls, Nohl said. Hackers also can trick phones into using these less-secure networks, even when better ones are available. When a phone indicates a 3G or 4G network, a voice call might actually be carried over an older frequency and susceptible to decoding by the NSA.The document does not make clear if the encryption in another major cellphone technology — called CDMA and used by Verizon, Sprint and a small number of foreign companies — has been broken by the NSA as well. The document also does not specify whether the NSA can decode data flows from cellular devices, which typically are encrypted using different technology.The NSA has repeatedly stressed that its data collection efforts are aimed at overseas targets, whose legal protections are much lower than U.S. citizens’. When questioned for this story, the agency issued a statement, saying: “Throughout history nations have used encryption to protect their secrets, and today terrorists, cyber criminals, human traffickers and others also use technology to hide their activities. The Intelligence Community tries to counter that in order to understand the intent of foreign adversaries and prevent them from bringing harm to Americans and allies.”German news magazine Der Spiegel reported in October that a listening station atop the U.S. Embassy in Berlin allowed the NSA to spy on Merkel’s cellphone calls. It also reported that the NSA’s Special Collection Service runs similar operations from 80 U.S. embassies and other government facilities worldwide. These revelations — and especially reports about eavesdropping on the calls of friendly foreign leaders — have caused serious diplomatic fallouts for the Obama administration.Cellphone conversations long have been much easier to intercept than ones conducted on traditional telephones because the signals are broadcast through the air, making for easy collection. Police scanners and even some older televisions once were able to routinely pick up people talking on their cellphones, as a Florida couple did in 1996 when they recorded an overheard conversation involving then-House Speaker Newt Gingrich.Digital transmission and encryption have become almost universally available in the United States, and they are now standard throughout much of the world. Governments typically dictate what kind of encryption technology, if any, can be deployed by cellphone service providers. As a result, cellular communications in some nations, including China, feature weak encryption or none at all.A5/1 has been repeatedly cracked by researchers in demonstration projects for more than a decade.The encryption technology “was designed 30 years ago, and you wouldn’t expect a 30-year-old car to have the latest safety mechanisms,” said David Wagner, a computer scientist at the University of California at Berkeley.Collecting cellphone signals has become such a common tactic for intelligence, military and law enforcement work worldwide that several companies market devices specifically for that purpose.Some are capable of mimicking cell towers to trick individual phones into directing all communications to the interception devices in a way that automatically defeats encryption. USA Today reported Monday that at least 25 police departments in the United States own such devices, the most popular of which go by the brand name Harris StingRay. Experts say they are in widespread use by governments overseas, as well.Even more common, however, are what experts call “passive” collection devices, in which cell signals are secretly gathered by antennas that do not mimic cellphone towers or connect directly with individual phones. These systems collect signals that are then decoded in order for the content of the calls or texts to be understood by analysts.Matthew Blaze, a University of Pennsylvania cryptology expert, said the weakness of A5/1 encryption is “a pretty sweeping, large vulnerability” that helps the NSA listen to cellphone calls overseas and likely also allows foreign governments to listen to the calls of Americans.“If the NSA knows how to do this, presumably other intelligence agencies, which may be more hostile to the United States, have discovered how to do this, too,” he said.Journalists Marc Ambinder and D.B. Grady reported in their 2013 book “Deep State: Inside the Government Secrecy Industry” that the FBI “has quietly removed from several Washington, D.C.- area cell phone towers, transmitters that fed all data to wire rooms at foreign embassies.”The FBI declined to comment on that report.Upgrading an entire network to better encryption provides substantially more privacy for users. Nohl, the German cryptographer, said that breaking a newer form of encryption, called A5/3, requires 100,000 times more computing power than breaking A5/1. But upgrading entire networks is an expensive, time-consuming undertaking that likely would cause interruptions in service for some customers as individual phones would be forced to switch to the new technology.Amid the uproar over NSA’s eavesdropping on Merkel’s phone, two of the leading German cellphone service providers have announced that they are adopting the newer, stronger A5/3 encryption for their 2G networks.They “are now doing it after not doing so for 10 years,” said Nohl, who long had urged such a move. “So, thank you, NSA.”One of those companies, Deutsche Telekom, is the majority shareholder of T-Mobile. T-Mobile said in a statement this week that it was “continuously implementing advanced security technologies in accordance with worldwide recognized and trusted standards” but declined to say whether it uses A5/3 technology or plans to do so for its 2G networks in the United States.AT&T, the largest provider of GSM cellphone services in the country, said it was deploying A5/3 encryption for parts of its network. “AT&T always protects its customers with the best encryption possible in line with what their device will support,” it said in a statement.The company already deploys stronger encryption on its 3G and 4G networks, but customers may still wind up using 2G networks in congested areas or places where fewer cell towers are available.Even with strong encryption, the protection exists only from a phone to the cell tower, after which point the communications are decrypted for transmission on a company’s internal data network. Interception is possible on those internal links, as The Washington Post reported last week. Leading technology companies, including Google and Microsoft, have announced plans in recent months to encrypt the links between their data centers to better protect their users from government surveillance and criminal hackers.Soltani is an independent security researcher and consultant.

Sunday, December 8, 2013

SAN JOSE, Calif. (AP) — AT&T, under fire for ongoing revelations that it shares and sells customers' communications records to the National Security Agency and other U.S. intelligence offices, says it isn't required to disclose to shareholders what it does with customers' data.

In a letter sent Thursday to the Securities and Exchange Commission, AT&T said it protects customer information and complies with government requests for records "only to the extent required by law."

The telecom giant's letter was a response to a shareholder revolt sparked on Nov. 20 by the New York State Common Retirement Fund, the ACLU of Northern California and others. The groups are demanding that AT&T and Verizon be more transparent about their dealings with the NSA.

In the letter, AT&T said information about assisting foreign intelligence surveillance activities is almost certainly classified. The company said it should not have to address the issue at its annual shareholders meeting this spring.

Nicole Ozer, technology and civil liberties policy director at the ACLU of Northern California said AT&T has overstepped its bounds.

"It's outrageous that AT&T is trying to block the shareholder proposal," she said. "Customers have a right to know how often their private information is ending up in the government's hands."

AT&T spokesman Mark Siegel said "the letter speaks for itself. We have no comment beyond it."

After the Sept. 11 terror attacks, U.S agencies established a warrantless program to monitor phone calls and e-mail between individuals in the United States and other countries who are suspected of having links to terrorism. But disclosures in recent weeks from former intelligence contractor Edward Snowden have exposed the breadth and depth of U.S. government surveillance programs on the Internet and over other telecommunications networks. The Washington Post reported this week that the NSA tracks locations of nearly 5 billion cellphones every day overseas, including those of Americans.

Companies are responding to the revelations in a variety of ways. Tech firms including Yahoo and Google are pushing back, adding encryption, filing motions in the FISA court, and arguing that the NSA is overstepping its bounds.

But telecommunications firms appear to be cooperating fully.

"AT&T has not made it clear to investors or customers what data it shares or with whom. Customers should not be the last to know how their personal information is being used by governmental agencies," said New York State Comptroller Thomas DiNapoli.

DiNapoli co-signed the AT&T shareholder resolution on behalf of the New York State Common Retirement Fund, which holds assets totaling about $161 billion. The fund owns more than 15 million shares of AT&T valued at roughly $517 million.

"Customer trust is critical for any business, but nowhere is it more so than for those corporations that handle our personal data and communications," DiNapoli said.

AT&T shareholders Trillium Asset Management in Boston and Durham, N.C.-based Arjuna Capital/Baldwin Brothers were also part of the revolt, which demands that AT&T publish semi-annual transparency reports similar to those from Microsoft, Twitter, LinkedIn, Facebook and Yahoo. The companies disclose the number of government requests for information and whether they comply.

But AT&T noted that those transparency reports don't disclose details about the requests or even separate out the number of National Security Letters companies receive. That information is withheld by the companies because they are barred by the federal government from revealing it, a prohibition many companies are fighting in court.

"In fact, all six Internet companies referenced in the (shareholder's) proposal state that they are not allowed to publicly disclose any such information in their Transparency or Law Enforcement Request Reports," said AT&T. "Therefore, because the proposal is over-broad, it is excludable..."

AT&T also argues that the issue of their disclosure practices with the NSA has not been a topic of "sustained debate over the last several years," a standard they say must be met to require public reporting.

Securities and Exchange Commission spokeswoman Christina D'Amico said the agency declined to comment.

Thursday, December 5, 2013

The T-Mobile mobile virtual network operator is expanding its calling plan to 75 countries and giving customers 1,000 free minutes a month for international calls.

Ultra Mobile is announcing 1,000 free minutes a month for international calls.

(Credit: Ultra Mobile)

Ultra Mobile, an MVNO (mobile virtual network operator) under T-Mobile, announced that starting tomorrow, it will give its customers 1,000 free minutes a month for international calls to more than 70 countries. The carrier will throw in free, unlimited SMS texting to more than 190 countries as well.

This service expands on Ultra Mobile's previous Ultra Zero plan, which was introduced in August.

That plan gave customers 1,000 free minutes for calls made to Canada, China, Mexico, Singapore, and the United Kingdom. But with this announcement, customers can now call countries such as India, Vietnam, Nigeria, and more, with 1,000 free minutes a month.

Keep in mind that Ultra Mobile's lowest monthly plan costs $19, which will get you 250 minutes of talk, unlimited texting, and 50MB of data. Unlimited talk, text, and data, however, can cost up to $59 a month.

Wednesday, November 20, 2013

Sometimes it isn't enough to simply be aware. Here are some practical tips for keeping your valuable phone from scheming baddies.

It may sound obvious, but it's important to keep phones out of reach from opportunistic thieves.

(Credit: Josh Miller/CNET)

At one point or another, every cell phone owner has experienced the onset of panic and despair that hits your gut the moment you realize your phone is missing. This has happened to me more times than I care to admit, and the loss or even active theft of a device as personal as a mobile phone only highlights our dependence on them.

In a related story, CNET's Kent German touches on different security measures you can take with your smartphone OS that can help keep thieves from using your phone once they have it. My job here is to spell out some practical, physical efforts that'll help keep your phone in your possession, and keep you out of trouble.

Lest you think cell phone safety is as obvious as simply being aware of your surroundings (and yes, that's paramount), keep in mind that smartphone robberies, both violent and not, are common and growing in number. It's here where local police report that over 50 percent of robberies in 2012 were related to cell phones, and here where acts of violence have been perpetrated during tech-related robberies.

In addition to protecting your phone from scratches and breaks, a basic case can help conceal a distinctive phone's telltale markings. That's a detriment if you're trying to show off your handset's badass styling, but a benefit for maintaining a lower profile. Note: Even though they look better, a flashy designer case is like sticking a "steal me" marquee on your phone.

1. Get a caseSmartphones make good targets because their relatively small size makes them easy to snatch and hide, their ubiquity makes them easy to move, and their high value makes them a good return on a thief's investment, netting hundreds of dollars for a quick crime. The more premium the smartphone, the more money it brings in.

2. The clawThe best deterrent of all is to keep your phone hidden away when you're in public, where it's most vulnerable: on a bus or train, waiting in a square, walking down the street alone. But that isn't at all realistic. My phone is my own retreat, mobile workplace, and entertainment hub, too. I climb on a bus, my head nods down to meet the screen. I walk to work, fingers fly while I narrowly avoid smacking into light posts and other sucked-in pedestrians.

Gripping your phone with both hands may seem strange, but could help deter casual thieves. It's also comfier than it looks. (Credit: James Martin/CNET)

So here's what I suggest: grip the phone tightly in your hand, fanning out your fingers as much as possible so that you've formed a protective cage or claw around the phone. Better yet, weave fingers from both hands around the device, so that they're touching. This is especially beneficial for larger phones that are harder to hold onto and therefore easier to snatch.

Someone could still grab it from you, yes, but but you've now created a deterrent and the appearance of physically locking on to your device, even if you are completely absorbed.

P.S.: Try not to be completely absorbed. You might miss actual danger, like this tragic shooting of a college student that bus passengers missed while looking at their devices. Even if you're melting into the Internet, it pays to be aware of your surroundings.

3. Adopt a paranoid posturePhones aren't just connections to my personal life, they're also my livelihood, and I do not want to lose them. So I tend to take the claw technique one step further by training my body into a defensive posture that blocks access to my valuables: purse, phones, etc.

Even if you're completely at ease in your surroundings, it helps to act cautious as a matter of routine. I really turned up the paranoid posture after a CNET reporter recounted how a thief on the bus stole a smartphone from his hands. The moment before the bus doors snapped shut, the perp (who had been waiting by the door) snatched the phone and dashed, trapping my colleague on the bus before he could react.

Here's how you do it: if you're sitting still, hunch your shoulders and turn your elbows out, lower your phone to your lap and perhaps position it behind a crossed leg. If you're walking while listening to a podcast or music, keep the volume low enough so you can hear others approach, and keep a hand on your phone. Glance around by habit, especially if you're talking on the phone, and resist the urge to gaze out at nothing. Targets that look aware are bigger risks.

4. Embrace the art of misdirectionI've heard stories from friends and friends of friends of people being trailed after leaving public transportation or a busy city square after striking up conversation with a "friendly" stranger who then mugs them for their electronics. Is that the fancy, new HTC One Bling Bling I'm carrying? Oh no, overly interested stranger. No, it is not. This is last year's model and it is fatally broken.

If you can feel your phone while you walk, that's a good thing. (Credit: Josh Miller/CNET)

5. Make your phone hard to get, even for youThe easiest place to carry a phone is in your pocket, better yet a jacket pocket, but that's also the place a thief will look first. I've known several industry insiders and journalists who've had cell phones stolen from their pockets, purses, and backpacks, either quietly or as part of a crafty and elaborate plan.

My last major piece of advice is to get into the habit of keeping phones you aren't holding as hard to extract as possible, like the inside pocket of a jacket, the interior pocket of a purse (with the purse clasped or zipped and with your arm blocking the zipper,) and so on. The goal, once again, is to make yourself more work for a thief.

What to do if your phone is stolenStill, if some baddie does nab your phone, there are a few practical things you can and should do, beyond using a "find my phone" service or other software safeguard.

Report the theft to your carrier immediately. Your carrier will add it to a blacklist that will prevent anyone from using it to make calls or access the data network (Wi-Fi is another story, though). Also, activate any phones tracking and remote device management features at your disposal. Kent has full details in his feature.

Likewise, report the theft to local police right away. They may not be able to get you your phone back, but they may be able to help track thieves if lifted phones are sold through legitimate channels for cash, such as a Web site like Usell or EcoATM. The police also can use apps like Find my iPhone or Android Device Manager to locate your handset.

This may go without saying, but don't get physical with robbers. Another real-life anecdote: I know a woman who managed to run down an iPhone thief for six blocks in New York City, in heels, she was that mad. As impressive as her anger-fueled sprinting was, who knows what kind of weapons or force the panicked thief was prepared to use, or if he was running toward heavy-fisted cronies for backup support.

Especially once you've taken measures to secure your sensitive information, escalating a robbery into a potentially violent act just ain't worth it.

How about you?Ultimately, the best advice to protect yourself from frustration and grief is to combine software security measures with physical, visual deterrents to make yourself and your phone smaller targets. Do you have any cell phone horror stories, or personal tips to share about smartphone theft prevention? Leave your advice and tales in the comments below.